Windows Overview Dashboard error.
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix
Source:
Windows Overview - v2.4
General Information System Statistics Panel
Active Usersindex=winevents EventCode=4624 OR EventCode=528 |dedup user |stats count(user)Total AD Users|inputlookup AD_Users.csv |stats count(DisplayName)Active Hostsindex=winevents |dedup host |stats count(host)Total AD Hosts|inputlookup AD_Hosts.csv |stats count(DisplayName)
User Account Action Panel
Newly Created Accountsindex=winevents EventCode=4720 OR EventCode=624 | chart dc(user)/app/IA_Overview/search?q=index=winevents EventCode=4720 OR EventCode=624 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"Account Modificationsindex=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725 | chart count/app/IA_Overview/search?q=index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725| eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"Accounts Deletedindex=winevents EventCode=630 OR EventCode=4726 |chart count/app/IA_Overview/search?q=index=winevents EventCode=630 OR EventCode=4726 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"Password Changesindex=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ |chart count/app/IA_Overview/search?q=index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS "Preformed By", user AS "Preformed To"Account Lockoutsindex=winevents EventCode=644 OR EventCode=4740|chart count/app/IA_Overview/search?q=index=winevents EventCode=644 OR EventCode=4740 | table EventCode, signature, user, host, _time
Computer Account Actions Panel
(Investigate any actions that appear here)
Newly Created Computersindex=winevents EventCode=4741 OR EventCode=645 | stats count(host)/app/IA_Overview/search?q=index=winevents EventCode=4741 OR EventCode=645 | table EventCode, signature, host, user, _timeRecently Deleted Computersindex=winevents EventCode=4743 OR EventCode=647 | stats count(host)/app/IA_Overview/search?q=index=winevents EventCode=4743 OR EventCode=647 | table EventCode, signature, host, user, _timeGroup Policy Errorsindex=winevents EventCode=1202 | stats count(host)/app/IA_Overview/search?q=index=winevents EventCode=1202 | stats count sparkline AS Trend by host | sort - countShutdowns Computerindex=winevents EventCode=4609 OR EventCode=513 | stats count(host)/app/IA_Overview/search?q=index=winevents EventCode=4609 OR EventCode=513 | table EventCode, signature, host, user, _timeMissing Forwaders| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime | stats count(host)/app/IA_Overview/search?q=| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),"-2h") | where lastTime < Checkin | convert ctime(lastTime) as lastTime| table host, lastTime | sort - lastTimeSoftware Installsindex=winevents SourceName=MsiInstaller EventCode=11707 host="*" | stats count(host)/app/IA_Overview/SW_DetailedSoftware Uninstallsindex=winevents SourceName=MsiInstaller EventCode=11724 host="*" | stats count(host)/app/IA_Overview/SW_DetailedAV Updatesindex=winevents EventCode=7 EventType=4 latest=now earliest=-30d@d| stats first(1) by host| stats count(host)/app/IA_Overview/search?q=index=winevents EventCode=7 EventType=4 | stats count sparkline AS Trend by host| sort + Date
Data Loss Protection Action Panel
(Investigate any actions that appear here)
File Shadow Readsindex=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=26 | transaction _time, host, user | stats count/app/IA_Overview/DLP_DetailedFile Shadow Writesindex=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=25 | transaction _time, host, user | stats count/app/IA_Overview/DLP_DetailedFile Failed Readsindex=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=18 | transaction _time, host, user | stats count/app/IA_Overview/DLP_DetailedFile Failed Writesindex=winevents sourcetype="WinEventLog:System" SourceName=scomc EventCode=19 | transaction _time, host, user| stats count/app/IA_Overview/DLP_DetailedMedia/Device Actionsindex=winevents sourcetype="WinEventLog:System" SourceName=scomc (EventCode=14 OR EventCode=16) | transaction _time, host, user| stats count/app/IA_Overview/DLP_DetailedFailed Logon PanelFailed Logonsindex=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count/app/IA_Overview/search?q=index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count sparkline AS Trend by user, signature | sort - count
Failed Logons for Unknown Accountsindex=winevents sourcetype="WinEventLog:Security" (EventCode=4625 Sub_Status=0xC0000064) OR (EventCode=529) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?\S.*)" | eval uacct=coalesce(facct,User_Name)| stats count sparkline AS Trend by uacct, host | rename count as "Attempts", uacct as "Account" | sort - Attempts
After Hours PanelAfter Hours Logins (Before 6 AM or After 6 PM)index=winevents EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count/app/IA_Overview/search?q=index=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts
After Hours Loginsindex=winevents sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, "%H") | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as "Attempts", user as "Account" | sort - Attempts
Domain Admin Activityindex=winevents EventCode=4624 [|inputlookup AD_Groups.csv| search group_name="Domain Admins" |table member_name| rename member_name AS user]|stats count sparkline AS Trend by user | sort - count-90d@dnow/app/IA_Overview/Win_Priv_Detail?form.usertok=$click.value2$